Firewall Wizards mailing list archives

RE: Link level security with static arp tables

From: "Ben Nagy" <ben () iagu net>
Date: Wed, 15 Oct 2003 16:11:56 +0200

-----Original Message-----

[Magosanyi Arpad]

If real authentication, integrity and confidentality is needed,
I would do IPSEC. Any other (or same) ideas?


[This is Paul]

[Strong reservations expressed, but IPSec is]

a viable alternative, as is a gateway between 
user segments 
and backbones simlar to those found in airports and coffee 
shops isn't all 
that bad an idea (or an authenticating firewall...)


I know....how about SOCKS!

Seriously, we're just indulging in over-engineering here. However, if I were
doing it for a strong security environment I have grave concerns about
IPSec. Hard to install, hard to maintain, ugly protocol at the best of times
and at the basic level it only does machine-level authentication.

The Microsoft IPSec/Kerberos implementation is a better approach, but we all
know there are lots of interop and fast-and-loose standards problems. At
least it tries to authenticate the user and the station, which is a big step
in the right direction.

Frankly, in a real world environment that needed strong security along these
lines I would apply a combination of good physical security, no active
unused wall-points and the switch Port/MAC thing. All external access would
be via a proxy which can authenicate each user. A circuit level gateway
really is a good match for this problem. If only SOCKS didn't suck. :)

If I can't have any physical security I vote for 802.1x over IPSec. The
problem with the IPSec thing is that the attacker is physically able to see
and interfere with traffic and we rely on our technical controls to deal
with it from there. 802.1x starts with the port in a null VLAN where the
attacker sees nothing. 

I am not aware of how PEAP is "known broken" for this kind of application
(assuming one takes just a little care), and I'm not sure it will go away.
If anyone has any good stuff to point me at I'd be interested in discussing
this aspect further. I am, of course, familiar with the IETF draft. [1] I
agree that I much prefer EAP-TTLS [2], since it's a cleaner design, but
"word on the street" has it that PEAP is looking more likely to emerge as
market victor.

ben

[1] http://www.ietf.org/internet-drafts/draft-puthenkulam-eap-binding-03.txt
[2] http://www.ietf.org/internet-drafts/draft-ietf-pppext-eap-ttls-03.txt

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Link level security with static arp tables Debian User (Oct 13)
- Re: Link level security with static arp tables Luke Butcher (Oct 14)
  - Re: Link level security with static arp tables Magosányi Árpád (Oct 15)
    - Re: Link level security with static arp tables Paul Robertson (Oct 15)
    - RE: Link level security with static arp tables Ben Nagy (Oct 15)
    - RE: Link level security with static arp tables R. DuFresne (Oct 15)
    - Re: Link level security with static arp tables Bennett Todd (Oct 15)
- Re: Link level security with static arp tables Martin A. Brown (Oct 14)
- RE: Link level security with static arp tables Ben Nagy (Oct 14)
- <Possible follow-ups>
- RE: Link level security with static arp tables Sloane, David (Oct 14)